Windows Active Directory (AD) is a directory service developed by Microsoft that stores information about various objects on a network.

The Active Directory App analyzes, then graphically displays this information to users and network administrators, including information about domain controllers, forest, site, users, groups, computers and organizational units. Sumo Logic allows you to augment or couple regular Windows Events with this data to get more contextual insights from the logs. For example, by augmenting the events based on the domain name, you can build searches specific to a particular AD site or track activities to users under a specific Organizational Unit.

Log types

Active Directory diagnostic log files are described in more detail in Microsoft help.

Prerequisites

To begin collecting Active Directory logs, first:

A. Verify the Active Directory module

B. Download and deploy Sumo Logic scripts

A. Verify Active Directory module

Before proceeding, verify that the Active Directory module is available. The Active Directory module is supported on Windows 7 and Windows 2008 Server (R2 and later) if Remote Server Administration Tools (RSAT) are installed. You'll find more information at Microsoft TechNet.

These scripts should be deployed on a machine that is part of the domain where the log files exist. After deploying the scripts, you'll need to configure a script source on Sumo Logic for domainCollector.ps1 and another script source for adObjectCollector.ps1.

To deploy the scripts, do the following:

Download the scripts to a folder, for example C:\PSScripts.

Edit the scripts so that SCRIPTPATH matches the path to the folder.

Testing the scripts is optional, but recommended.

To manually test the scripts, do the following

Open a command line interface.

Run domainCollector and adObjectCollector, using the path where the scripts were installed.

Step 1: Configure a collector

Make sure the collector is installed on a machine that belongs to the domain managed by Active Directory. You can install a single collector and use a remote source, but Sumo Logic recommends installing a collector on each of your domain controllers for performance.

Step 2: Configure event log sources

If you have installed collectors on each domain controller, as recommended, configure a Local Windows Event Log Source on each one. Otherwise, configure a Remote Windows Event Log Source to collect events from each Active Directory server. For these Windows Event sources, set the source category to OS/Windows.

Step 3: Configure Script Sources

Perform the configuration described below twice, to set up one script source for adObjectCollector.ps1 and one for domainCollector.ps1.

If your Domain Controllers are in the same domain, then you can just run the scripts on a select one or a few of the Domain Controller machines. Because each Domain Controller may have or allow different data, you will need to select the best ones. The adObjectCollector.ps1 script is the heaviest. There is no reason to pull your AD objects multiple times.

To configure a script source, do the following:

In Sumo Logic, select Manage Data > Collection > Collection.

Find the name of the installed collector to which you'd like to add a Source. Click Add... then chooseAdd Source from the pop-up menu.

Select Script for the Source type. New Collectors using version 19.245-4 and later do not allow the creation of Script Sources by default. To allow Script Sources you need to set the Collector parameter enableScriptSource in user.properties to true.

Name. Enter DomainCollector or ADObjects, depending on which script you are configuring. Description is optional.

Source Host (optional). Enter the hostname or the IP address of the machine. The hostname is stored in a searchable field called _sourceHost. The hostname can be a maximum of 128 characters.

Source Category. Enter a Source Category following the Best Practices that allows you to include both the logs from these scripts and the logs from your Windows Event logs from the Domain Controller(s). For example, DC/Windows/adObjects, DC/Windows/domainCollector, and DC/Windows/Event. This will allow you to specify a query like _sourceCategory=DC/Windows/*to bring in all AD-related logs.

Frequency. Select a short time for testing (for example, every 5 minutes), then change it to a longer interval once you confirm it’s working.

The Frequency option should be set according to your environment. We use a short interval in our example and testing, but in your deployment, the proper Frequency value depends on how often your topology changes. It's important that the Frequency be set to a time longer than it takes for the script to run. For example, if a script takes two hours to finish, the Frequency should be set to Every 3 Hours. If the topology is relatively stable, the Frequency can be set to a longer value, such as Every 12 hours (it is recommended that each script run at least once every day).

If you'd like to set a timeout for your script, select Specify a timeout for your command. If you don't need a timeout, or if you're running a script once daily, we recommend that you leave this option deselected.

Command. Select PowerShell Script.

Script. Do one of the following:

If you have the script saved to a file location and you do not have restrictions on running scripts, choose Type a path to the script to execute and enter the path to the script. For example, c:\PSScripts\adObjectCollector.ps1 or c:\PSScripts\domainCollector.ps1. (The script path you enter will depend on which script source you are currently configuring.)

If you have restrictions for running scripts, then select Type the script the execute. Enter the command executed during testing on your system. The command will be specific to the script you’re configuring: